Tivoli through pfsense
-
Hi all
I have a problem when the server in dmz try to connect to the tivoli server in the lan, to make backups.
when I launch the tivoli client (in the server in dmz) I see the pf states increasing about 200/250 and the load averages of the pfsense box (a soekris 4801) go up to 15.0 and higher. I loose control of the firewall (from webconfigurator and from ssh) untill I stop the tivoli client.
Other connections seem to not be affected and users don't notice anyhing, while the tivoli copy go very slow.any idea ?
Giacomo
-
Hi all
I have a problem when the server in dmz try to connect to the tivoli server in the lan, to make backups.
when I launch the tivoli client (in the server in dmz) I see the pf states increasing about 200/250 and the load averages of the pfsense box (a soekris 4801) go up to 15.0 and higher. I loose control of the firewall (from webconfigurator and from ssh) untill I stop the tivoli client.
Other connections seem to not be affected and users don't notice anyhing, while the tivoli copy go very slow.any idea ?
Yeah, actually, I do :) A 4801 can only handle about 30Mbit of traffic. You've flattened it with your backup traffic. You'll want a bigger box for your DMZ, something that can handle at least the line rate you have between the DMZ and the backup server (keeping in mind that if you have a 100Mbit connection and you backup at 100Mbit, you won't have any bandwidth left for anything else).
–Bill
-
enabling device polling will help to keep the webgui/ssh responsive at the cost of lower transferrates (devicepolling mode is not tuned for the embeddeds, see http://wiki.pfsense.com/wikka.php?wakka=Tuning for results how to optimize this for a WRAP which is comparable with the soekris 4801).
-
enabling device polling will help to keep the webgui/ssh responsive at the cost of lower transferrates (devicepolling mode is not tuned for the embeddeds, see http://wiki.pfsense.com/wikka.php?wakka=Tuning for results how to optimize this for a WRAP which is comparable with the soekris 4801).
with this tuning I have the cpu at 100% all the time.
I think that the soekris cpu will fry soon.Giaco
-
it's not the optimum platform if you plan to load it all the time this way, however it should handle periods of backups (of course they take longer than if using another platform).
If you really plan to make this kind of throughput possible you should be fine with a platform based on a via C3 1GHz for example. I have some miniitx based systems with rather crappy nics (via rhine) that can handle 100 mbit/s wirespeed. netio between two machines without a pfSense in between gives me 90 mbit/s and with pfSense running on this platform 87-89 mbit/s (measured factory default config with NAT WAN to LAN).
Check out our recommended vendors. Some offer embedded and/or 19" platforms with these specs: http://pfsense.com/index.php?id=40
-
and what about to set the dmz_if (that one connected to the server that need to be backuped) at 10megabit ?
is it possibile to do it with pfsense ?thanks again
Giacomo
-
It would of course throttle/limit the traffic to 10 mbit/s but it's not really recommended as this can easily lead to autonegotiation missmatches when used with switches or other devices which then causes lot's of collisions.
See http://faq.pfsense.org/index.php?action=artikel&cat=10&id=38&artlang=en&highlight=hidden%20xml how to do it.
-
And of course, 10Mbit is slower than the 30Mbit or so you were getting before which means your backups will take even longer! No, you really really want a bigger box ;)
–Bill